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Foreword 

The  advent  of  the  digital  age  has  made  it  inevitable  that  troops  in 
contact  will  fall  upon  computers  and  related  equipment  valuable  for 
the  information  they  can  provide  about  the  enemy.  In  this  paper, 
Dr.  William  G.  Perry  provides  some  guidelines  about  processing  computer 
equipment  for  transfer  to  information  and  intelligence  professionals  who 
might  wring  out  from  digital  storage  media  the  critical  information  needed 
to  penetrate  the  enemy’s  decision  matrix.  In  addition,  captured  computer 
gear  may  often  need  to  be  protected  by  a  chain  of  custody  in  order  to  sup¬ 
port  legal  actions  against  illegal  combatants — criminals. 

The  digital  age  meshes  with  the  21st  century  irregular  warfare  environ¬ 
ment  in  which  nonstate  actors,  armed  groups,  terrorists,  and  criminals 
confront  established  governments.  Today’s  Special  Operations  Forces  (SOF) 
are  most  likely  to  confront  these  opponents  while  on  counterinsurgency, 
foreign  internal  defense,  and  counterterrorism  missions.  From  the  moment 
of  tactical  discovery  until  its  presentation  in  the  courtroom,  digital  evidence 
will  need  to  be  safeguarded  and  a  valid  chain  of  custody  maintained  so  that 
the  host  nation  (or  U.S.  Government)  might  successfully  bring  criminals  to 
justice.  This  will  fall  on  the  shoulders  of  the  SOF  operators  at  the  tip  of  the 
spear  who  must  add  yet  another  skill  set  to  their  already  full  rucksacks. 

Particularly  in  direct  action  missions,  the  need  to  properly  capture  and 
bag-up  enemy  digital  material  can  be  critical  to  mission  success,  both  for 
intelligence  and  legal  purposes.  Every  strike  team  that  descends  upon  the 
target  will  consider  employing  a  “forensics  team”  that  can  rapidly  identify 
sources  of  valuable  digital  information,  document  the  findings,  and  secure 
computers  and  storage  media. 

While  conducting  actions  on  the  objective,  it  may  seem  a  bit  too  much 
to  expect  a  SOF  team  to  devote  effort  to  fiddling  with  such  details.  Dr.  Perry 
stresses  that  mission  accomplishment  and  security  will  always  be  first  in  the 
minds  of  the  warfighter,  but  the  digital  forensics  effort  will  produce  impor¬ 
tant  results.  The  legitimacy  of  host-nation  governments,  and  indeed  the  U.S. 
Government,  is  reinforced  many  fold  when  military  operations  are  founded 
on  the  rule  of  law.  Dr.  Perry’s  ideas  for  “Assuring  Digital  Intelligence  Gollec- 
tion”  are  tactical  techniques  that  have  a  significant  strategic  payoff. 

James  D.  Anderson,  Director  of  Research 
JSOU  Strategic  Studies  Department 
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Introduction 

The  military  establishment  must  acknowledge  that  the  face  of  battle 
is  changing.  Information,  as  a  dimension  of  conflict  and  competi¬ 
tion,  has  vaulted  to  the  forefront  of  importance  of  the  future  national 
security  landscape  and  now  must  rank  as  at  least  co-equal  with 
air,  ground,  sea,  and  space  dimensions.  Yet,  even  with  its  impor¬ 
tance,  we  have  just  begun  the  intellectual  examinations  necessary 
to  develop  a  viable  theory  of  lO  [information  operations]  that  will 
underpin  any  discussion  of  war  in  the  digital  age.' 

Information  warfare  may  be  as  old  as  mankind,  but  the  methods  and  the 
means  of  its  application  today  are  totally  new.  Key  tactical  information 
can  be  contained  on  digital  storage  devices  that  are  worn  on  the  body 
like  jewelry.  The  enemy  can  transmit  information  with  deadly  results  from 
devices  that  remain  unseen  to  all  but  the  trained  eyes  of  those  who  know 
how  to  discover,  secure,  and  preserve  digital  intelligence. 

Code  books,  maps,  encryption  devices,  and  paper  documents  were  once 
the  subject  of  searches  for  useful  intelligence  on  the  battlefield.  We  still 
search  for  similar  information,  but  critical  data  today  can  be  found  on  a 
secondary  storage  media  that  is  the  size  of  a  fingernail,  in  electronic  address 
books  and  cell  phone  memory,  or  written  in  unseen  logs  of  data  packets  that 
have  streamed  into  and  out  of  the  enemy’s  Internet- connected  computer. 

Discovering  and  preserving  the  enemy’s  critical  electronic  data  can  be 
game  changers.  We  can  gain  a  competitive  advantage  by  being  astute  and 
co-opting  the  enemy’s  digital  intelligence.  We  can  glean  electronic  intel¬ 
ligence  and  get  inside  our  adversary’s  decision-making  loop. 

The  armed  forces  of  the  enemy,  terrorists  and  criminals,  use  computers 
the  way  we  do — for  command  and  control  purposes,  to  store  information 
on  personnel,  to  send  and  receive  e-mails  and  text  messages,  to  encrypt 
files,  and  to  implement  codes.  High  value  information  specifying  size  of 
force,  battle  logs,  and  plans  for  future  action  has  all  been  discovered  on 
seized  electronic  equipment.  Files  and  disks,  CDs,  and  DVDs  that  contain 
time  and  date  stamps,  Internet  traffic  logs,  and  data  on  the  movement  and 
whereabouts  on  an  adversary’s  assets  can  all  be  recovered.  Vital  information 
can  also  be  gleaned  from  unlikely  electronic  devices,  such  as  digital  picture 
frames,  MP3  and  MP4  players,  and  a  variety  of  novelty  storage  media.  The 
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enemy  is  smart  about  how  computers  can  be  used  as  instruments  of  war 
and  is  getting  smarter.  We  must  do  the  same. 

The  likelihood  that  Special  Operations  Forces  (SOF)  will  encounter  com¬ 
puters,  portable  electronic  equipment  (e.g.,  personal  data  assistants,  cell 
phones,  and  gaming  systems)  and  digital  storage  media  is  high.  The  big 
challenge  for  SOF  is  to  recognize,  secure,  and  safeguard  as  much  of  the 
discovered  data  or  information  as  possible  so  that  it  can  be  subjected  to 
forensic  analysis.  Successfully  discovering,  preserving,  and  assuring  digital 
intelligence  for  exploitation  and  legal  purposes  is  essential  to  support  our 
country’s  national  security  objectives  against  those  who  would  do  harm. 

SOF  are  likely  to  be  in  the  first-responder  role  for  digital  information. 
The  data  that  is  stored  on  electronic  devices  can  easily  be  damaged  if  mis¬ 
handled.  Digital  data  is  at  risk  of  being  destroyed,  modified,  or  lost  due  to 
the  volatile  nature  of  electromagnetic  storage  and  other  technical  issues. 
Alteration  or  damage  to  a  few  bits  (i.e..  Is  and  Os)  of  data  can  render  much 
of  what  is  stored  on  a  memory  device  as  useless.^  See  Appendix  A  to  learn 
more  about  the  nature  of  stored  information. 

Corrupted  data  may  be  impossible  to  recover  for  analysis.  Further,  com¬ 
puter  (or  digital)  based  evidence  may  be  worthless  unless  it  is  collected 
and  presented  in  court  in  such  a  way  that  it  will  not  contravene  the  rules 
of  admissibility  and  will  lead  to  the  successful  conviction  of  criminals  (or 
terrorists).^ 

Seizing  electronic  devices  and  obtaining  digital  data  fall  under  rules 
for  information  operations  as  promulgated  by  the  Department  of  Defense. 
See  Appendix  B  for  a  perspective  of  the  Joint  Chiefs  on  information  opera¬ 
tions.  All  branches  of  the  armed  forces  are  obliged  to  follow  multinational 
doctrine  and  procedures  that  are  consistent  with  U.S.  law,  regulations,  and 
doctrine. 

The  purpose  of  this  monograph  is  to  help  operators  discover,  preserve, 
and  assure  information  assets  so  that  they  can  be  exploited  for  intelligence 
and  legal  purposes. 
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Statement  of  Problem 

The  challenge  addressed  in  this  monograph  is  to  develop  an  understanding 
of  how  SOF  can  conduct  lO  (from  tactical  entry,  discovery  of  digital  assets, 
and  the  establishment  of  a  valid  chain  of  custody)  without  unnecessarily 
endangering  the  lives  of  operators  while  still  assuring  the  integrity  of  digital 
information. 

The  task  for  operators  is  to  follow  procedures  and  protocols  for  data 
discovery  and  seizure  that  assure  the  preservation  of  highly  volatile  and 
perishable  digital  information.  Stored  digital  information  is  very  fragile. 
The  precise  manner  in  which  electronic  media  is  physically  handled  and 
collected  from  the  target  can  place  the  integrity  of  stored  digital  information 
at  risk.  Data  can  be  easily  damaged,  destroyed,  or  inadvertently  modified. 

The  basics  of  assuring  the  integrity  and  usability  of  digital  information 
must  be  employed  to  ensure  the  value  of  the  digital  information.  Circum¬ 
stances  in  the  field,  however,  can  rapidly  become  chaotic  and  unpredictable. 
The  safety  of  operators  is  first.  Electronic  evidence,  however,  remains  among 
the  most  problematic  to  assure. 

SOF  team  members  need  to  be  able  to  identify  potential  sources  of  elec¬ 
tronic  information;  recognize  computers,  network  components,  and  storage 
media;  and  apply  essential  information  assurance  techniques. 

SIDS:  Digital  Search  and  Seizure  Procedures 

A  number  of  rational  and  well- conceived  principles  can  be  used  to  guide 
operators  when  involved  in  the  search  and  seizure  for  digital  information 
and  electronic  devices.  Operators  can  remember  the  essence  of  the  proce¬ 
dures  with  the  acronym,  SIDS,  which  stands  for  scan,  identify,  document, 
and  secure. 


Table  1.  Basic  Search  and  Seizure  Principles  for  Electronic  Information 


Step 

Description 

Scan 

1.  Visually  scan  the  environment  for  the  presence  of  electronic  media  and 
devices. 

2.  Scan  the  area  for  the  presence  of  a  wireless  network. 

Identify 

3.  Identify  electronic  devices,  all  digital  devices,  media,  and  connections. 

4.  Identify  any  network  connections  (local  or  external). 

5.  Examine  the  devices  for  any  visible  damage. 
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Table  1.  Basic  Search  and  Seizure  Principles  for  Electronic  Information  (cont'd) 


Step 

Description 

Document 

6.  One  team  member  (wearing  an  antistatic  wrist  band),  if  possible,  should  be 
responsible  for  custodianship  and  logging  electronic  devices. 

7.  Log  any  visible  physical  damage. 

8.  Photographically  document  room(s)  in  which  the  equipment  is  found, 
the  front  and  back  of  the  computer,  and/or  sketch  any  physical  evidence 
(including  cords  and  connections)  to  be  seized  before  removing.^ 

9.  Determine  if  device  is  on  or  off;  it  is  on  if  the  screen  has  content. 

Otherwise,  look  for  lights  or  sounds. 

10.  Operators  should  avoid  interacting  with  the  computer  in  any  way,  unless 
so  ordered  (i.e.,  on-loading  surveillance  software  may  actually  be  the 
mission). 

11.  Secure  the  storage  and  electronic  devices  for  removal  using  labels  (to 
include  the  collector’s  initials,  date,  and  time),  putting  evidence  tape  on 
the  back  of  the  machine,  and  store  seized  equipment  in  antistatic  plastic 
wrap  or  bags  (i.e.,  cardboard  boxes  and  cotton  cloth  can  be  used  as  an 
improvised  substitute). 

12.  Record  all  activities  conducted  and  maintain  a  chain  of  custody;  see 
Appendix  C. 

Secure 

13.  Secure  any  printed  material  or  hard-copy  evidence. 

14.  Power  down  any  devices  that  are  on  and  log  the  time  of  the  shut  down. 

15.  Safely  secure  seized  electronic  devices  and  media  for  transport  in  any 
hard-shell  case  (if  available),  cardboard  box,  packing  foam,  antistatic 
plastic  wrap,  or  cotton  cloth. 

16.  List  what  is  contained  in  each  container  that  is  being  transported  when 
time  permits  and  seal  with  evidence  tape. 

What  types  of  electronic  media  and  devices  should  be  considered 
when  scanning  the  environment?  Operators  should  scan  the  environ¬ 
ment  for  a  variety  of  computers  and  electronic  devices  that  are  capable  of 
storing  information.  Computers  include  desktops,  laptops,  notebooks,  and 
sophisticated  hand-held  devices  such  as  iPhones  and  iTouch  devices  and  a 
Blackberry.  Images  of  a  number  of  these  devices  are  shown  in  Figure  1. 

Other  electronic  devices  can  be  used  to  store  digital  data.  Operators 
should  be  able  to  identify  them.  Table  2  lists  a  number  of  digital  devices 
that  can  be  used  to  store  data. 

Even  a  Microsoft  Xbox  can  be  turned  into  a  Linux  network  server  capable 
of  supporting  an  entire  network  of  computers.  Other  devices  that  can  pro¬ 
cess  and  store  information  include  TiVo,  DVD  players,  and  any  number  of 
personal  entertainment  equipment.® 
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iPhone  or  iTouch  Blackberry  PCMCIA  wireless  card  Authentication/ID 

token* 


Figure  1.  Examples  of  Electronic  Media  and  Devices 
(^courtesy  Dell  Computers) 


Table  2.  Other  Electronic  Devices  Can  Contain  Digital  Data 


Answering  machines  •  Audio  recorders 


•  Caller  ID  devices 


Cellular  telephones 


•  Chips 

•  Digital  picture 
frames 


•  Copying  machines  •  Databank/organizers  •  Digital  cameras 

(still  and  video) 

•  Disks,  CDs,  &  USB  •  External  hard  drives  •  Fax  machines 
drives 


•  Flash  memory  cards 

•  Printers 

•  Video  recorders 


•  GPS  devices 

•  Removable  media 

•  Wireless  access 
points 


•  Pagers 

•  Scanners 

•  Video  game  con¬ 
soles  and  media 


•  Personal  data 
assistants 

•  Telephones 


What  type  of  media  can  be  used  to  store  electronic  information? 

Operators  should  look  for  the  presence  of  typical  computer  storage  media; 
Figure  2  provides  examples. 
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CDs  and  DVDs 


Disk 


Thumb 

drive 


Internai 

hard 

drive 


Externai  hard  drives 


Wffi 

Credit  card  storage 

Figure  2.  Typical  Computer  Storage  Media 


The  design  of  some  storage  devices  falls  into  the  category  of  being  novelty 
storage  media  and  may  be  deliberately  deceptive.  Examples  include  USB 
wrist  bands  as  well  as  the  deceptive  Swiss  army  knife  and  pen  USB  drives 
shown  in  Figure  3. 


Figure  3.  Pen  USB  drive  and  Swiss  Army  knife  with  USB 


Other  storage  media  is  so  small  that  it  can  easily  be  overlooked  lying  on 
any  surface.  One  such  medium  is  known  as 
SD  (Secure  Digital)  disk  memory.  A  significant 
amount  of  information  can  be  stored  on  an  SD, 
and  it  can  be  as  small  as  a  postage  stamp  or 
fingernail.  Some  examples  displayed  in  Figure 
4.  Operators  should  be  on  the  lookout  for  any 
gadget,  mechanism,  or  apparatus  that  can  be 
used  to  store  electronic  content. 


Figure  4.  SD  Disk 
Memory 
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How  do  you  recognize  a  computer  network  when  scanning  the  envi¬ 
ronment?  Computers  can  communicate  with  other  computers  when  they 
are  connected.  The  connection  can  either  be  wired  or  wireless.  Operators 
can  recognize  a  computer  that  is  capable  of  communicating  with  a  network 
in  two  ways. 

The  first  way  to  determine  if  a  computer  is  on  a  network  is  to  look  at  the 
connections  on  its  back.  If  more  than  a  power  cord  is  hanging  off  of  the  back 
of  the  computer,  it  is  connected  to  something.  A  computer  that  is  hard-wired 
to  an  internal  network  or  the  Internet  uses  a  NIC  (network  interface  card). 
The  connection  is  either  made  using  an  RJ45  connector,  coaxial  cable,  or 
what  may  appear  to  look  like  a  cell  phone  or  satellite  radio.  The  wire  or  cable 
coming  off  the  back  of  the  computer  is  either  connected  to  a  router  or  what 
might  appear  to  be  an  outlet  on  the  wall. 

If  the  computer  is  connected  to  a  router,  it  can  be  hard-wired  to  other 
computers  or  be  broadcasting  to  other  computers  wirelessly.  Figure  5  shows 
examples  of  computer  networking  media  and  devices. 


Figure  5.  Examples  of  Computer  Networking  Media  and  Devices 


A  NIC  can  be  manually  inserted  into  a  vacant  slot  on  the  inside  of  the 
computer  or  built-in  on  the  motherboard.  The  operator  must  determine 
what  device  the  computer  is  connected  to  if  more  than  a  power  cord  is  con¬ 
nected  to  the  back  of  the  computer.  Devices  that  are  identified  must  also  be 
seized  if  at  all  possible.  Regardless,  a  wireless  network  may  still  be  present. 
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Operators  need  to  establish  whether  there  is  evidence  of  a  wireless  net¬ 
work.  The  area  can  be  quickly  scanned  using  a  wireless  signal  detection 
device  (like  the  ones  shown  in  Figure  6). 


Figure  6.  Wireless  Detection  Devices  (*  courtesy  SPY  Associates, 
www.spyassociates.com;  **  courtesy  Dell  Computers) 


Certain  cell  phones,  an  iPhone,  or  other  personal  hand-held  commu¬ 
nications  equipment  can  alternatively  be  used  to  detect  the  presence  of  a 
wireless  network  but  might  be  less  helpful  in  detecting  the  exact  location 
of  other  computers  and  devices. 

Discovering  a  wireless  network  can  result  in  a 
major  payolf  because  the  distance  that  a  wireless 
signal  can  travel  is  limited  (under  300  feet).  The  pres¬ 
ence  of  a  wireless  network  indicates  that  other  com¬ 
puters  and  hardware  are  close  and  need  to  be  secured 
if  time  permits.  A  large  capacity  wireless  hard  drive, 
for  example,  might  he  hidden  from  view  and  mounted 
in  the  ceiling  or  behind  a  wall.  Figure  7  shows  a  wire¬ 
less  storage  device. 

What  should  happen  after  successfully  scanning  the  environment 
and  identifying  computer  hardware  and  network  components?  Enemy 
computers  or  electronic  components,  once  discovered  and  identified,  must 
be  thoroughly  documented  and  secured  for  safe  transport.  The  original 
state  of  the  electronic  devices  must  be  photographed  or  sketched  and  only 
limited  interaction  with  the  equipment,  components,  and  storage  media 
should  occur.  Operators  should  avoid  exceeding  their  knowledge  level  with 
regards  to  electronic  equipment.  Successfully  preserving  digital  intelligence 
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Figure  7.  Wireless 
Hard  Drive  (courtesy 
Dell  Computers) 
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for  forensic  analysis  will  allow  intelligence  analysts  the  opportunity  to  step 
“inside”  the  adversary’s  decision-making  cycle.  See  Appendix  D  on  com¬ 
puter  forensics. 

How  do  you  document  the  scene  and  what  is  seized?  Photograph  and/ 
or  sketch  the  actual  physical  space  in  which  electronic  devices  or  media  is 
discovered,  if  possible,  as  soon  as  the  space  is  secured.  The  images  on  the 
monitor  of  any  computers  that  are  turned  on  must  be  photographed.  The 
layout  and  contents  of  the  room(s)  should  also  be  documented  with  photos 
or  sketches. 

Pictures  should  be  taken  of  the  front,  back,  and  sides  of  all  computers  and 
devices  that  are  discovered  before  being  touched  or  moved.  All  connections 
should  also  be  documented.  Evidence  tape,  ideally,  should  be  placed  on  any 
open  computer  drive  bays  and  other  access  points  on  the  computer  case, 
including  the  opening  for  the  power  plug  when  it  is  eventually  unplugged. 

A  voice-activated  audio  recorder  would  likely  be  the  best  alternative  for 
documenting  or  logging  activities  when  safety  and  time  are  critical. 

A  number  of  possible  scenarios  exist  that  operators  might  encounter, 
thus  they  will  be  explored  in  this  monograph.  Following  procedures  that 
increase  the  chances  of  successful  information  preservation  become  very 
important. 

Every  situation  is  different.  How  should  you  react?  SOF  may  discover 
computers,  unexpected  electronic  devices  (e.g.,  MP3  players,  personal  data 
assistants,  cell  phones,  land-line  telephones,  voice  recorders,  answering 
machines,  computers,  fax  machines,  copying  devices,  and  paging  devices), 
and  media  in  the  course  of  carrying  out  mission  objectives.  Digital  cam¬ 
eras,  DVD  players,  and  home  entertainment  devices  also  have  large  storage 
capacity  that  the  enemy  can  use  to  store  a  significant  amount  of  information. 
Critical  information  and  data  (intelligence)  can  be  discovered  when  very 
little  is  expected  (e.g.,  phone  numbers  stored  in  memory,  PINs,  passwords, 
or  messages). 

Use  the  general  SIDS  procedures  if  time  and  safety  permit.  The  envi¬ 
ronment  should  be  scanned  to  identify  electronic  devices,  computer  net¬ 
works,  and  storage  media  as  soon  as  possible.  Prevent  all  interaction  with 
computers  or  electronic  devices  at  the  scene.  One  individual,  if  possible, 
should  process  any  electronic  devices  that  are  discovered.  That  which  is 
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discovered  for  seizure  should  be  photographically  documented  or  sketched. 
An  evidence  log  should  be  initiated  when  it  is  possible  to  do  so  without 
endangering  personnel. 

Electronic  devices,  cords,  cables,  and  connectors  should  be  labeled  for 
each  unique  device  and  secured  for  safe  transport.  An  eifort  should  be  made 
to  take  the  computer  mouse  because  it  is  capable  of  storing  large  amounts 
of  data.  Pens,  watches,  cassette  tapes,  and  even  a  Swiss  army  knife  can 
potentially  hold  memory  cards  or  larges  amounts  of  stored  information.® 
All  manuals  or  other  printed  materials  related  to  the  electronic  devices 
should  also  be  seized. 

In  all  likelihood  a  need  would  exist  to  transport  or  remove  the  computer 
or  media  from  the  scene.  Devices  should  be  packaged  in  antistatic  material, 
when  possible,  and  put  in  a  case  that  is  designed  to  transport  fragile  items. 
Any  electronic  devices  or  storage  media  must  be  kept  away  from  magnets, 
moisture,  dirt,  dust,  radio  signals,  or  other  high  energy  electromagnetic 
fields  (including  electric  motors). 

When  conducting  highly  dangerous  combat  operations,  maintaining  a 
well-documented  chain  of  custody  is  near  the  bottom  of  the  list  of  priorities. 
Establishing  a  chain  of  custody  that  might  be  used  in  later  legal  proceed¬ 
ings,  however,  moves  closer  to  the  front  of  the  line  once  the  safety  of  team 
members  has  been  assured. 

The  assumption  is  made  that  the  computers  or  electronic  devices  dis¬ 
covered  on  the  scene  must  be  quickly  removed.  Otherwise,  if  time  permits, 
there  would  be  other  forensic  techniques  that  must  be  applied  (i.e.,  a  RAM 
dump  and/or  the  copying  of  files,  imaging  the  hard  drive,  recording  pro¬ 
cesses  that  are  running,  observing  services  that  are  presently  being  run, 
searching  for  IP  addresses  and  possibly  noting  permissions  to  other  off-site 
resources). 

What  follows  are  a  number  of  scenarios  that  indicate  what  can  be  done 
if  enemy  computers,  electronic  devices,  or  storage  media  are  discovered. 

Scenario  1.  Computer  or  electronic  device  is  discovered 
in  a  power-on  condition. 

When  a  desktop  computer  or  electronic  device  is  discovered  in  a  powered- 
up  condition,  the  computer  should  be  left  on  until  basic  documentation  has 
occurred.  The  contents  of  the  screen  should  be  photographed. 
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Operators  should  immediately  restrict  the  number  of  people  who  come 
into  contact  with  the  digital  device.  Any  digital  devices  must  be  secured  and 
prevented  from  coming  into  contact  with  any  other  electronic  devices.  The 
complete  scene  should  be  photographically  documented  or  sketched.  Any 
visible  connections  on  the  computer  should  also  be  documented. 

The  room  or  area  should  be  checked  to  determine  if  any  wireless  tele¬ 
communication  signals  are  present.  The  possibility  exists  that  other  devices 
may  be  operating  wirelessly  and  connected  to  other  computers  like  a  wire¬ 
less  electronic  storage  device.  If  a  wireless  signal  is  found,  a  quick  search 
of  the  area  (i.e.,  in  the  ceiling,  behind  walls)  should  be  performed  if  time 
permits. 

Remaining  steps  to  keep  in  mind  follow: 

a.  Power  down  the  computer  after  documenting  the  device  by  pulling 
the  plug  from  the  wall  or  the  power  supply. 

b.  If  possible,  place  evidence  tape  on  all  drive  bays  or  any  openings  on 
the  devices  that  are  discovered.  If  time  permits,  attach  labels  to  each 
connection  that  is  visible. 

c.  Begin  an  evidence  log  as  soon  as  the  operation  is  secured  and  team 
safety  is  assured. 

Scenario  2.  Single  computer  or  electronic  device  is  dis¬ 
covered  in  a  power-of/^  condition. 

Upon  discovering  a  computer  or  electronic  device  and  determining  that  it 
is  turned  off,  do  not  turn  on.^  Examine  the  connections  on  the  back  of  the 
computer  and  photograph  them.  Label  any  connections  so  as  to  assist  in 
reassembly.  Take  pictures  of  the  computer  and  any  other  devices  to  which 
it  is  connected. 

Other  areas  for  attention  follow: 

a.  Unplug  the  computer  from  the  wall  (if  plugged  in)  and  remove  any 
connection  from  the  back  of  the  computer  that  appears  to  be  con¬ 
nected  to  a  telephone  or  other  device.  Computers  can  be  turned  on 
remotely,  and  all  relevant  evidence  could  be  erased. 

b.  Check  the  room  or  area  for  the  presence  of  wireless  signals.  Identify, 
document,  and  secure  any  wireless  devices  that  are  discovered. 
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c.  Take  pictures  of  electronic  devices  and  media  before  touching  them. 
Place  evidence  tape,  if  time  permits,  on  all  drive  bays  and  open  recep¬ 
tacles  on  any  computers,  media,  and  other  devices  that  are  discov¬ 
ered.  Take  special  care  when  transporting  the  machine  and  keep  the 
device(s)  away  from  high  energy  fields  such  as  magnets  and  radio 
transmitters. 


Scenario  3.  Monitor  of  a  desktop  computer  is  off,  but  the 
computer  is  on. 

Attempt  to  determine  if  the  discovered  computer  is  in  a  power-on  condi¬ 
tion  or  running.  The  CPU  might  be  running  with  the  monitor  off.  Listen 
carefully  for  any  electronic  noises,  possibly  from  a  fan  motor  or  storage 
mechanism.  Look  for  any  lights  on  the  computer.  Here  are  the  correspond¬ 
ing  actions: 

a.  Turn  on  the  monitor  and  document  the  contents  that  appear  on  the 
screen. 

b.  Scan  the  area  for  the  presence  of  any  wireless  signals.  Identify, 
document,  and  secure  any  wireless  electronic  devices  that  are 
discovered. 

c.  Take  pictures  and  label  any  connections  on  the  back  of  the  computer 
or  electronic  devices  that  are  found.  Also  document  any  changes 
made  to  any  discoveries. 

d.  Remove  any  devices  from  their  power  sources  by  unplugging  them 
from  the  wall.  Secure  the  computer  for  safe  transport  in  antistatic 
bags  and  keep  the  device  away  from  high  energy  fields  or  extreme 
conditions. 


Scenario  4.  Stand-alone  computer  is  discovered. 

Photograph  the  screen  and  all  connections  if  the  device  is  powered  up.  Note: 
Do  not  turn  on  the  computer  or  device  if  it  is  powered  down.  Two  other 
actions  follow: 

a.  Check  the  area  for  any  wireless  signals.  Identify,  document,  and  secure 
any  wireless  computers  or  devices  that  are  discovered. 
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b.  Document  and  label  all  connections  on  all  devices.  Place  evidence 
tape  on  all  openings  of  the  computer  case.  Secure  the  devices  for 
transport  and  establish  the  chain  of  custody. 


Scenario  5.  Portable  computer  is  discovered. 

Upon  discovering  a  portable  computer  (e.g.,  notebook  or  laptop),  check  to 
determine  if  it  is  connected  to  either  a  power  source  or  other  device.  Avoid 
turning  the  computer  on  if  it  is  off.  Also  scan  the  environment  to  deter¬ 
mine  if  there  are  any  wireless  signals  being  broadcast.  Related  thoughts  or 
remaining  actions  follow: 

a.  If  the  power  is  on  when  the  portable  computer  is  discovered,  pho¬ 
tograph  the  screen  as  well  as  the  back  and  all  connections.  Avoid 
turning  off  the  power  of  the  portable  computer  if  at  all  possible  by 
keeping  the  battery  charged.  Be  sure  to  document  any  changes  made 
in  the  computer  from  the  way  it  was  found  (e.g.,  plugging  a  laptop 
into  a  recharger). 

b.  Check  to  determine  whether  the  portable  computer  is  in  what  is 
known  as  a  low  power  mode.  The  screen  can  be  blank  and  even  the 
lid  closed.  Double  check  to  see  if  a  faint  LED  light  is  blinking  on  the 
front  of  a  portable  computer.  That  would  indicate  that  the  laptop  is 
in  a  low  power  mode.  If  a  portable  computer  is  discovered  in  a  low 
power  mode,  follow  the  steps  in  Scenario  1. 

c.  If  not  in  a  low  power  mode,  perform  a  hard-power  down — that  is, 
hold  down  the  power  switch  for  at  least  10  seconds.  Attach  evidence 
tape  to  the  case  and  any  openings  on  the  back. 

d.  The  on-scene  operators  should  also  attempt  to  locate  any  carrying 
case  for  the  portable  computer  and  document  its  removal  from  the 
premises.  The  case  and  its  contents  (i.e.,  extra  USB  drives  or  disks, 
CDs,  or  DVDs)  could  contain  significant  information. 

e.  Secure  the  computer  for  safe  transport. 


Scenario  6.  Networked  computers  and  peripheral  devices 
are  discovered. 

Check  the  back  of  a  computer  to  determine  if  it  is  connected  to  a  network 
interface  card  via  an  RJ45  connector.  Scan  the  environment  for  a  wireless 
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signal.  Discovering  computers  and  other  devices  that  are  connected  are  very 
significant.  At  least  one  or  more  workstations  are  connected  to  a  network 
server.  Finding  a  network  server  could  provide  a  gold  mine  of  useful  intel¬ 
ligence.  The  likelihood  of  a  server  also  being  connected  to  the  Internet  is 
high. 

Pictures  should  be  taken  of  any  monitors  that  are  powered  up,  and  any 
connections  between  the  electronic  devices  should  be  documented  and 
labeled.  Evidence  tape  should  be  placed  on  all  the  drive  openings  on  the 
computer,  router,  devices,  or  media  for  safe  transport. 


Scenario  7.  External  storage  devices  and  media  are  dis¬ 
covered. 

External  storage  devices  may  include  disks,  CDs,  DVDs,  USB  drives,  cell 
phones,  personal  data  assistants,  compact  flash  drives,  MP3  players,  cas¬ 
settes,  electronic  games,  or  other  devices  (i.e.,  a  digital  picture  frame).  An 
effort  to  discover  these  devices  should  be  made  and  documented  in  the  loca¬ 
tion  where  they  are  discovered,  then  label  and  apply  evidence  tape.  Ideally, 
only  one  individual  should  handle  the  device.  Other  actions  follow: 

a.  Any  external  devices  that  are  plugged  into  a  power  source  should  be 
examined.  If  any  lights  are  on  or  showing,  pictures  should  be  taken 
of  the  front  of  the  device. 

b.  Any  connections  to  the  back  of  the  device  should  also  be  noted.  The 
connections  should  be  labeled  and  disconnected  from  the  power 
source. 

c.  Any  devices  that  are  discovered  should  be  placed  in  an  antistatic 
wrapping  and  securely  packaged  for  transport. 
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Summary 

SOF  are  called  upon  to  conduct  direct  action  missions  that  support  the 
national  security  objectives  of  the  United  States.  Increasingly,  SOF  operates 
in  an  asymmetric  threat  environment  in  which  electronic  devices  and  stor¬ 
age  media  are  used  directly  by  the  enemy  to  support  their  ability  to  conduct 
war.  SOF  are  likely  to  encounter  computers  and  electronic  equipment  when 
conducting  operations.  The  opposition  continues  to  expand  its  use  of  elec¬ 
tronic  information,  and  the  U.S.  needs  to  counter  the  threat  by  conducting 
effective  and  intelligent  information  operations. 

Electronic  devices  and  information  that  are  stored  in  computer  memory 
or  other  media  can  be  extremely  volatile  and  can  easily  be  destroyed  or 
modified.  This  fact  is  true  even  under  normal  operating  conditions. 

The  discovery  of  electronic  information  and  devices  can  either  be 
expected  or  unexpected.  A  good  chance  exists  that  actionable  intelligence 
can  be  gleaned  from  seized  electronic  devices  by  following  digital  assurance 
best  practices.  Establishing  a  chain  of  custody  can  also  increase  the  chance 
that  terrorist  action  can  be  thwarted  and  successfully  prosecuted.  ^ 
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Glossary 

binary 

CPU  (central 
processing  unit) 
computer  forensics 

Technique  for  representing  data  as  a  series  of  Is  and  Os 

Portion  of  the  computer  where  high  speed  computations  occur 

Application  of  computer  investigation  and  analysis  techniques  to  deter¬ 
mine  potential  legal  evidence  (or  intelligence)® 

data 

Representation  of  facts  that  can  be  used  for  processing  and  creating 
information  for  decision  making 

digital  evidence 

Information  that  is  stored  in  electronic  format  using  the  binary  numbering 
system 

dongle 

A  device  that  plugs  into  available  computer  port  (i.e.,  USB)  and  performs 
a  useful  service  such  as  encryption,  infrared  data  transfer,  or  network 
connectivity) 

hardware 

Any  object  or  component  that  can  be  associated  with  a  computer  system 

information 

Processed  data 

information 

assurance 

Methods  and  techniques  used  to  assure  the  confidentiality,  legacy,  integ¬ 
rity,  and  nonrepudiation  of  information 

information 
operations  (10) 

Integrated  employment  of  the  core  capabilities  of  electronic  warfare, 
computer  network  operations,  psychological,  deception,  and  operations 
security  in  concert  with  specified  supporting  and  related  capabilities  to 
influence,  disrupt,  corrupt,  or  usurp  adversarial  human  and  automated 
decision  making  while  protecting  our  own 

Internet 

Network(s)  that  connects  millions  of  computers  across  the  globe  using 
internationally  accepted  protocols 

IP  (Internet 

Protocol) 

The  standard  that  works  with  Transmission  Control  Protocol  (TCP)— that 
is,  describes  how  an  Internet-connected  computer  should  break  data 
down  into  packets  for  transmission  across  the  network,  and  how  these 
packets  should  be  addressed,  so  they  arrive  at  their  destination® 

Linux 

Computer  operating  system 

media 

Computer  storage  mechanisms  (e.g.,  hard  drives,  USB  drives,  disks)  as 
well  as  the  means  of  transmitting  data  (i.e.,  twisted  wire  pairs,  fiber  optic) 

network 

More  than  one  connected  computer 

protocols 

RAM  (Random 

Access  Memory) 

RAM  dump 

Standardized  rules  for  electronic  communications 

Volatile  electronic  storage  that  retains  data  only  as  long  as  power  is  being 
received 

Copy  of  volatile  memory  that  can  include  unsaved  documents,  chat 
sessions  or  text  messages,  passwords,  and  other  critical  information 

RJ45 

Computer  network  connector 

ROM  (Read-only 

Memory 

server 

Memory  that  is  permanently  inscribed  on  a  computer  chip 

Computer  that  manages  network  resources  and  authorized  users 
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Tcp;ip 

uninterrupted  power 
supply 

volatile 

wireless 

wireless  hard  drive 


The  complete  Internet  protocol  suite— that  is,  set  of  protocols  for  transmit¬ 
ting  data  over  computer  networks  and  the  Internet 

Usually  a  short-term  emergency  backup  power  supply  for  a  computer  or 
electronic  device 

Fragile  or  subject  to  easy  destruction 

Term  frequently  used  to  describe  a  computer  network  connection  that  is 
accomplished  without  a  physical  connection 

External  storage  device,  which  likely  contains  a  massive  storage  capacity 
that  can  connect  to  a  computer  or  networks  wirelessly;  wireless  storage 
devices  can  connect  to  routers  using  radio  frequency  (RF)  technology  and 
be  easily  hidden  from  view  (i.e.,  above  ceiling  tiles  or  behind  walls) 
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Appendix  A.  The  Nature  of  Stored 
Information 

Electronic  data  consists  of  charges  that  are  either  processed  or  recorded  on 
magnetic  media.  A  single  positive  charge  may  be  thought  of  as  a  “1”  and  a 
negative  charge  as  a  “0.”  Alphabetic  characters,  numbers,  and  specialized 
symbols  are  represented  by  a  fixed  series  of  Is  and  Os  that  can  be  reviewed 
in  the  ASCII  table  (as  shown  in  Appendix  E). 

Data  is  processed  and  turned  into  information. 

Electronic  data  can  be  permanently  or  temporarily  stored  on  chips  in 
computer  memory  or  on  secondary  storage  devices  (commonly  referred  to 
as  CDs,  DVDs,  or  disks).  Random  Access  Memory  or  RAM  (usually  located 
inside  the  device)  stores  information  that  is  volatile.  RAM  retain  data  only 
as  long  as  it  is  receiving  power.  RAM  is  volatile  and  usually  connected 
to  the  internal  motherboard  of  the  computer.  If  RAM  chips  are  _ 

found  loose  or  unattached,  secure  them.  Useful  infor- 
mation  about  the  nature  of  the  enemy’s  devices 
and  systems  could  be  gleaned.  An  examples 
of  a  RAM  chip  is  displayed  on  the  right. 

The  second  type  of  internal  memory  is  known  as  Read-only  Memory 
or  ROM.  The  instructions  contained  on  a  ROM  chip  are  executed  when  the 
device  is  powered  on.  ROM  chips  are  usually  found  inside  the  computer.  Any 
ROM  chips  found  loose  should  also  be  secured  for  their  intelligence  value. 
Shown  below  are  images  of  ROM  chips. 
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Both  user-created  and  computer-generated  information  can  be  potential 
sources  of  useful  information,  but  operators  must  remember  that  electroni¬ 
cally  stored  media  is  extremely  delicate.  Some  data  that  is  electronically 
stored  is  volatile  (it  would  disappear  if  the  power  was  turned  off)  whether 
it  is  being  processed,  transmitted,  or  stored.  Turn  off  the  power,  and  the 
data  disappears. 

Exposure  to  a  powerful  magnetic  field,  for  example,  can  erase  or  alter 
stored  information.  Exposure  to  vibrations,  shocks,  moisture,  or  rough 
handling  can  cause  stored  information  to  be  lost. 

The  basic  characteristics  of  electronic  information  must  be  understood; 
a  summary  follows: 

a.  Storage  media  includes  hard  drives,  CDs,  DVDs,  disks,  SD  disks  or 
flash  memory,  USB  drives,  external  hard  drives,  network  storage 
devices,  and  wireless  storage  devices.  Data  stored  on  media  are  all 
forms  of  secondary  storage. 

b.  Information  that  is  stored  in  RAM  or  ROM  is  referred  to  as  primary 
storage  or  memory. 

c.  Preserving  the  usefulness  of  digitally  stored  data  involves  the  careful 
collection  and  documentation  of  electronic  media.  Eor  example,  data 
that  is  recorded  on  secondary  storage  and  exposed  to  magnetic  or 
electromagnetic  fields  can  be  altered  or  destroyed  and  lost  forever. 
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Appendix  B.  Information  Operations:  The 
Joint  Chiefs  of  Staff  Perspective 

Senior  military  officials  view  information  as  being  a  “strategic  resource, 
vital  to  national  security,  and  [that]  military  operations  depend  on  informa¬ 
tion  and  information  systems  for  many  simultaneous  and  integrated  activi- 
ties.”“  Information  operations  is  defined  as  any  actions  taken  to  affect  the 
adversary’s  information,  information  systems,  and  decision  making  while 
defending  one’s  information,  information  systems,  and  decision-making 
capability.  Information  operations  include  many  dimensions  such  as  elec¬ 
tronic  warfare,  computer  network  operations,  psychological  operations, 
military  deception,  and  operations  security. 

SOF  contribute  directly  to  information  operations  “in  concert  with  speci¬ 
fied  supporting  and  related  capabilities  to  influence,  disrupt,  corrupt,  or 
usurp  adversarial  human  and  automated  decision  making  while  protecting 
our  own.”^^  Successful  planning,  preparation,  execution,  and  assessment  of 
information  operations  (lO)  demand  detailed  and  timely  intelligence,  and 
this  must  be  conducted  in  a  manner  that  positively  affects  net  intelligence 
gains  or  losses. 

One  of  the  most  important  perspectives  of  the  Joint  Chiefs  is  summarized 
in  the  following  quote:  “The  fC  (Intelligence  Community)  must  implement 
technical  and  procedural  methods  to  ensure  compliance  with  the  law,”  and 
that  “specific  sources  and  methods  be  positioned  and  employed  over  time  to 
collect  the  necessary  information  and  conduct  the  required  analyses.”'^ 

Part  of  the  joint  mission  objectives  of  Special  Forces  and  fO  is  following 
methods  and  techniques  that  legally  assure  digital  information  for  forensic 
purposes.  The  services.  United  States  Special  Operations  Command,  and 
federal  agencies  develop  capabilities  based  upon  their  core  competencies 
embodied  in  law,  policy,  and  lessons  learned.  Joint  Publication  3-13  empha¬ 
sizes  that  10  can  affect  data,  information,  and  knowledge  “by  taking  actions 
to  affect  the  infrastructure  that  collects,  communicates,  processes,  and/or 
stores  information  in  support  of  targeted  decision  makers.”^^ 

Included  in  the  most  recent  lO  doctrine  established  by  the  Joint  Chiefs 
is  a  recognition  that  information  is  a  strategic  resource  that  is  supported 
by  related  capabilities  to  influence,  disrupt,  corrupt,  or  usurp  adversarial 
human  and  automated  decision  making  while  protecting  our  own.  The 
main  principle  is  to  obtain  information  superiority.  Therefore,  information 
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operations  should  be  integrated  and  coordinated  with  a  wide  variety  of  core 
competencies. 

Also  included  in  the  10  doctrine  is  recognition  that  the  dynamic  informa¬ 
tion  environment  must  be  assessed,  collected,  and  analyzed.  DoD  directive 
S -3600.1,  “Information  Operations”  (as  revised)  emphasizes  the  attainment 
of  information  superiority  and  the  use  of  information  age  technologies  to 
get  the  maximum  strategic  and  tactical  benefits  for  protection  and  situ¬ 
ational  awareness.  The  directive  also  mentions  that  all  information  that  is 
obtained  be  integrated  into  operations  to  support  engagement  strategies 
and  policies 

Significant  attention  must  be  paid  as  to  how  information  obtained  in  a 
foreign  country  must  be  handled.  Two  aspects  deserve  attention.  One  is  how 
the  information  can  be  preserved  and  processed  for  evidential  purposes, 
and  the  other  is  what  can  be  legally  secured  by  U.S.  forces  operating  in  a 
foreign  country. 
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Appendix  C.  Establishing  a  Chain  of 
Custody 

what  is  a  chain  of  custody  and  how  can  it  be  established? 

The  first  goal  of  a  direct  action  mission  is  to  assure  the  safety  of  team  mem¬ 
bers.  An  additional  purpose,  if  electronic  devices  are  discovered  in  the  pro¬ 
cess  of  carrying  out  mission  objectives,  is  to  preserve  the  intelligence  value 
of  information  contained  on  seized  electronic  devices  and  establish  a  chain 
of  custody  (if  at  all  possible)  of  any  seized  electronic  equipment,  media,  and 
materials. 

The  forensic  analysts  to  whom  custody  of  the  seized  items  would  be 
given  need  to  know  as  much  as  they  possibly  can  about  the  environment 
and  circumstances  under  which  the  electronic  media  was  seized.  Critical 
to  any  successful  legal  proceedings  in  which  the  recovered  electronic  media 
is  used  would  be  a  well-documented  chain  of  custody.  For  example,  a  nar¬ 
coterrorist’s  defense  attorney  could  claim  that  seized  electronic  evidence 
was  mishandled  by  a  special  operator  or  others,  or  suggest  it  was  purposely 
manipulated  to  implicate  the  defendant.  The  concept  of  reasonable  doubt 
might  be  introduced,  and  the  guilty  individual  might  otherwise  be  found 
innocent. 

The  operators  should  collect  everything  that  can  be  legally  obtained 
and  document  it.  The  marking  and  tagging  of  all  equipment,  media,  and 
cables  is  necessary.  Properly  labeled  cardboard  boxes,  if  they  are  used  for 
transport,  are  also  necessary. 

Document  each  item  of  seized  equipment  or  media  in  an  evidence  log. 
An  evidence  log  should  contain  the  name  of  each  item,  time,  date,  and  a 
description  of  any  interactions  that  team  members  have  with  the  item(s). 
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Appendix  D.  Computer  Forensics 

what  is  computer  forensics? 

Computer  forensics  actually  begins  when  SOF  operators  scan,  identify,  docu¬ 
ment,  and  secure  (SIDS)  the  digital  assets  to  be  seized  and  successfully 
secure  them  for  transport,  then  eventually  turn  them  over  to  forensic  spe¬ 
cialists  and  intelligence  analysts  for  technical  exploitation.  The  information 
that  is  gleaned  can  either  be  used  for  tactical  or  strategic  intelligence  as 
well  as  for  legal  purposes  to  prosecute  enemy  combatants,  terrorists,  and 
criminals. 

At  least  one  or  more  operators  should  be  trained  in  basic  computer 
forensic  skills  from  scanning,  identifying,  documenting,  and  securing  the 
enemy’s  digital  assets.  Any  computer-based  evidence  is  useless  unless  it  is 
properly  identified,  collected,  and  preserved  in  a  manner  that  follows  the 
rules  of  admissibility  so  it  can  be  used  to  successfully  convict  criminals  or 
terrorists.  The  collection  and  presentation  of  computer  evidence  is,  therefore, 
a  technical  matter  that  must  nonetheless  be  undertaken  in  strict  compliance 
with  legal  rules. 

“Computer  forensics  involves  the  identification,  extraction,  documen¬ 
tation,  preservation,  and  interpretation  of  computer  data.^^^  Electronic 
information  that  is  seized  as  a  result  of  special  operations  may  be  used  for 
near-time  intelligence-gathering  purposes  or  as  evidence  in  later  legal  pro¬ 
ceedings,  in  which  case  chain  of  custody  must  be  documented.  Failure  to 
provide  for  a  well-documented  chain  of  custody  may  destroy  a  court  case 
against  a  criminal. 

The  collection  and  presentation  of  computer  evidence  is  therefore  a  pro¬ 
cedural  and  technical  matter  that  must  be  undertaken  in  strict  compliance 
with  legal  rules.  An  entry  into  an  evidence  log  should  be  made  that  includes 
the  time  and  date  the  media  was  recovered  after  the  safety  of  the  SOF  team 
is  assured. 

What  are  the  potential  forensic  missteps? 

All  manipulation  and  handling  of  electronic  devices  or  media  should  be 
documented  to  preserve  the  chain  of  custody  and  the  authenticity  of  infor¬ 
mation.  If  the  computer  or  device  is  to  be  unplugged,  a  quick  determination 
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should  be  made  as  to  whether  the  device  is  plugged  into  an  uninterrupt¬ 
ible  power  supply  (UPS)  or  simply  a  wall  socket.  The  computer  should  be 
unplugged  from  its  source  (from  the  wall  if  a  UPS  is  absent).  Otherwise, 
unplug  the  UPS  from  the  wall  socket.  The  computer  (or  device)  will  still  run 
off  of  the  reserve  power  supply  for  a  short  while  (usually  minutes).  A  deter¬ 
mination  may  be  made  to  keep  the  computer  plugged  into  the  UPS  until  the 
seized  equipment  can  be  plugged  into  a  permanent  power  source. 

Keep  any  seized  electronic  media  away  from  electromagnetic  fields 
(such  as  loudspeakers,  magnets,  motors,  and  radio  transmitters).  Secure 
the  devices  from  all  environmental  extremes  including  heat,  cold,  dust, 
moisture,  and  severe  vibrations  or  physical  shocks. 

Computers  should  be  powered  down  only  after  pictures  are  taken  of 
the  monitors.  Computers  should  never  be  turned  off  if  a  computer  forensic 
specialist  is  available  or  the  potential  exists  to  keep  the  device  powered  (i.e., 
properly  documenting  the  procedure  and  recharging  laptop  batteries). 

What  are  the  general  forensic  procedures? 

There  are  a  number  of  general  principles  that  underpin  the  collection  and 
assurance  of  digital  information  seized  during  operations.  The  SIDS  acro¬ 
nym  captures  the  essence  of  what  should  be  done  by  SOF. 

The  safety  of  personnel,  first,  is  of  paramount  importance.  All  actions 
taken  with  regards  to  electronic  information  should  avoid  creating  or  caus¬ 
ing  changes  or  damage  to  electronic  evidence.  Personnel  should  have  basic 
knowledge  on  how  to  preserve  digital  information.  Appropriate  tools  should 
be  used  when  possible.  All  steps  taken  to  preserve  digital  intelligence  collec¬ 
tion  should  be  fully  documented  including  pictures  or  digital  images  and 
notes  when  possible.  “Documentation  of  the  scene  should  include  the  entire 
location — for  example,  the  type,  location,  and  position  of  computers,  their 
components  and  peripheral  equipment,  and  other  electronic  devices.”'^' 

Specific  recommendations  for  conducting  forensic  computer  operations 
in  the  civilian  world  follow: 

a.  Train  personnel  in  basic  computer  forensic  techniques. 

b.  Gather  needed  tools  and  a  supply  of  packaging  materials  prior  to 
the  operation  that  will  help  to  assure  the  safe  removal  of  the  digital 
devices  and  media  (see  Appendix  F). 

c.  Prepare  any  preliminary  paperwork  (log  sheets). 
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d.  Brief  personnel  on  any  expected  digital  evidence  or  information  that 
might  be  recovered. 

e.  Evaluate  and  train  relative  to  the  current  legal  considerations  for 
targets  and  crime  scenes. 

f.  Designate  at  least  one  forensic  computer  specialist. 

g.  Secure  and  perform  initial  assessment  of  the  scene. 

h.  Identify  computer  and  electronic  devices  and  media. 

i.  Prevent  any  suspects  found  at  the  scene  from  interacting  with  the 
computer  or  other  electronic  devices  or  power  supplies. 

j.  Avoid  interacting  with  the  computer  or  executing  any  programs. 

k.  Begin  either  an  audio  or  written  log  to  establish  chain  of  custody. 

l.  Document  computer  and  electronic  evidence  by  labeling,  photograph¬ 
ing,  or  sketching. 

m.  Package  all  electronic  devices,  media,  and  other  evidence  for  safe 
transport. 

n.  Label  all  parts  and  pieces  and  secure  openings  with  evidence  tape. 

o.  Remove  and  safely  transport  evidence  and  protect  the  physical  integ¬ 
rity  of  the  components. 
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Appendix  E.  ASCII  Table  and  Description 

The  Web  site  www.LookupTables.com  provides  a  concise  explanation  of 
the  ASCII  code: 

ASCII  stands  for  American  Standard  Code  for  Information  Inter¬ 
change.  Because  computers  can  only  understand  numbers,  an  ASCII 
code  is  the  numerical  representation  of  a  character  such  as  “a”  or 
or  an  action  of  some  sort.  ASCII  was  developed  a  long  time  ago 
and  now  the  nonprinting  characters  are  rarely  used  for  their  origi¬ 
nal  purpose.  The  ASCII  character  table  is  shown  below;  it  includes 
descriptions  of  the  first  32  nonprinting  characters.  ASCII  was  actually 
designed  for  use  with  teletypes,  thus  the  descriptions  are  somewhat 
obscure.  If  someone  says  they  want  your  CV  in  ASCII  format,  what 
that  means  is  “plain”  text  with  no  formatting  such  as  tabs,  bold,  or 
underscoring — the  raw  format  that  any  computer  can  understand. 

This  request  is  usually  so  they  can  easily  import  the  file  into  their 
own  applications  without  issues.  Notepad.exe  creates  ASCII  text,  or 
in  Microsoft  Word  you  can  save  a  file  as  “text  only.” 
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Appendix  F.  Equipment  and  Supplies  for 
Information  Operations 

Among  the  equipment  and  supplies  needed  to  secure  a  scene  where  elec¬ 
tronic  media  is  encountered  would  be  a  voice-activated  audio  recorder,  a 
small  digital  camera,  antistatic  wrist  band,  evidence  tape,  labels,  indelible 
writing  pen,  and  antistatic  wrapping  materials  or  bags. 

Digital  cameras  should  be  used  to  document  the  placement  and  condi¬ 
tion  of  the  area  in  which  electronic  devices  and  stored  digital  information 
are  found.  Pictures  of  the  monitor  screens,  CDs,  tapes,  and  recorders  should 
be  taken  in  their  original  location  and  secured  in  a  dust-  and  shock-free 
environment. 

Connections  should  be  digitally  documented  and  labeled  for  evidentiary 
purposes  if  time  and  personnel  safety  make  it  possible. 

What  investigative  tools  should  be  used? 

Special  tools  and  resources  should  be  used  to  obtain  and  secure  electronic 
information.  For  initial  securing,  documentation,  packaging,  removal,  and 
transporting,  include  the  use  of  tamper-resistant  evidence  tape,  flashlight, 
regular  pliers,  needle-nosed  pliers,  and  rubber  gloves.^  Also  include  a  hand¬ 
held  device  that  detects  wireless  signals. 

Among  the  recommendations  are  antistatic  packing  materials  that  are 
sufficient  size  to  package  CPUs,  PDAs,  laptops,  hard  drives,  and  other  media. 
Preprinted  forms  could  be  used  to  help  ease  the  burden  of  maintaining  a 
chain  of  custody  after  the  seizure  of  evidence. 

How  do  you  package  and  transport  devices  containing 
digital  information? 

Seized  electronic  devices  should  be  placed  in  a  hard  shell  carrying  case 
that  provides  protection  from  dust,  extremes  in  temperature,  shock,  and 
moisture. 

All  electronic  devices  that  are  seized  must  be  documented,  labeled,  and 
packaged  before  they  are  transported.  Doing  so  in  the  field  might  be  very 
difficult  to  accomplish  within  a  limited  time  without  endangering  the  lives 
of  personnel.  Investigators  should  be  mindful  of  any  trace  evidence  (i.e.. 
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latent  finger  prints)  and  try  to  preserve  it.  Avoid  using  materials  (i.e.,  like 
wool  cloth)  that  could  produce  static  electricity. 

Avoid  bending,  folding,  or  scratching  media  such  as  storage  disks,  CDs, 
or  DVDs.  Properly  label  all  containers  in  which  seized  material  is  to  be 
transported. 
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